The vulnerability is caused by missing input validation in the timer_interval parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

* For changing the password there is no request to the current password.

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

* Stored XSS

Injecting scripts into the parameter policy_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.